Thycotic’s Cyber Security Publication

Why is least privilege the place to start for endpoint security?

January 23rd, 2018

Because it will save you time and money.

Your end user’s computers are increasingly exploited as an attack vector used to attain accounts with local administrator rights on Windows or root access on Mac OS.There are a lot of solutions that promise malware detection and prevention. And you can buy more and more software to try to prevent these things from happening on the front lines. But implementing least privileged security is a best practice because of the inevitability of these threats.

Don’t get me wrong, you absolutely do need layers of security. There’s no one right answer. But managing privileged accounts, which includes local admin and root accounts, is necessary to a successful overall security strategy.

The reason is simple. When logged in as an admin, every application that runs has unlimited access to that computer. If malicious code gets executed from a programor browsing to a site automatically downloads something malicious, that application also gains unlimited access. And imagine if that local admin account is a privileged domain account. What if that account can be used to gain access to network resources or be used to login to other endpoints where sensitive data is stored?

Even if you keep up to date on patches and virus signatures, attackers and rogue employees can breach your perimeter

You have toassume users still browse insecure sites, receive email and IMs, maybe even play an online game or two during work that exposes them to opening or clicking on something malicious. Even if you keep up to date on patches and virus signatures, attackers and rogue employees can breach your perimeter. That means, IT departmentshave to think about what power they’re giving an exploit when it runs with admin privileges. Its ability to compromise your system becomes much greater. If running as admin, an exploit can do anything with that access, like install keyloggers, brick your machine, plant trojan horses, really anything! And then the attacker can cover their tracks in the event log.

But the same kind access would not be attained with only user privileges. If running as a user, a malicious application can’t be executed with admin rights or simply can’t be executed at all, and the attack is stopped and contained. That’s why these local admin accounts are heavily targeted by hackers, malicious software and increasingly by rogue employees.

I’ve heard all of the reasons for just giving users local admin rights on their workstations or for giving IT admins superuser rights on servers they manage. Usually it’s not prioritized because of the risk of compatibility issues, lack of IT resources for troubleshooting issues, politics and bureaucracy. But none of those reasons outweigh the security benefits you gain.No matter how the threat breaches your system, least privilege enforcement can ensure the attacker is contained and cannot escalate across your systems.

There’s a reason least privileged is a best practice

How advanced you become may also depend on what compliance standards you have to meet. Regulations like PCI DSS, HIPAA, SOX, NIST require that organizations apply least privilege access policies. It’s the government, right, so it’s important that information on your systems is accessed on a need to know basis.But it’s not only about getting your enterprise compliant. There’s a reason least privileged is a best practice. We have many clients who implement least privilege to create less complex and thus more audit-friendly environments. In the end, less complex environments are easier to prove compliance.

When organizations are ready to make their move towards least privilege, especially on end-user workstations, a product is usually required to ensure success. Our customers use Thycotic’s Privilege Managerto remove, provision, and rotate local admin credentials, and not only that—they use the same product to ensure applications that require admin rights can still be safely used. That’s one product to actually enforce an ultra-secure least privilege security posture and to implement application control so end users can remain productive.

Steve Goldberg

Steve Goldberg began his career as a consultant and developer but has more recently served as a senior technical resource for solution engineering and product management teams. At Thycotic, Steve works as Senior Product Manager for the Privilege Manager solution. When not working, he’s playing tennis, watching the LA Kings, seeing as much live music as possible, and pretending like he knows a lot about wine.